EUVD-2025-16901CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability classified as critical was found in PHPGurukul Student Result Management System 1.3. This vulnerability affects unknown code of the file /editmyexp.php. The manipulation of the argument emp1ctc leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in PHPGurukul Student Result Management System version 1.3, exploitable through the emp1ctc parameter in /editmyexp.php. An unauthenticated remote attacker can manipulate this parameter to inject malicious SQL commands, potentially leading to unauthorized data access, modification, or deletion. With a publicly disclosed exploit and CVSS 7.3 rating reflecting network-based remote exploitation with low attack complexity and no authentication requirements, this vulnerability poses significant risk to exposed instances.
Technical Context
The vulnerability stems from improper input validation and parameterization in the /editmyexp.php file, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vulnerable parameter 'emp1ctc' is processed without adequate SQL query parameterization or input sanitization, allowing an attacker to break out of the intended SQL context and inject arbitrary SQL code. PHPGurukul Student Result Management System is a PHP-based web application (CPE context suggests: cpe:2.3:a:phpgurukul:student_result_management_system:1.3), likely running on Apache/Nginx with PHP and a MySQL/MariaDB backend. The root cause is the absence of prepared statements or parameterized queries, relying instead on direct string concatenation of user input into SQL statements.
Affected Products
Student Result Management System (['1.3'])
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today